Sample Pix 515/515E to ASA 5510 Site to Site VPN Config?

[jondoe0069]

I have a Cisco PIX 515 and 515E at two remote locations that I need to use in a Site to Site VPN setup with an ASA 5510 at my headquarters location. I have gone through many configs and various info and have tried to set up the Site to Site VPN between these devices, but I'm not having any luck getting connectivity between the remote LANs. I've googled for the past few days, looking for an example Site to Site VPN configuration between a PIX and an ASA, but have yet to find anything. Does anyone know where I can find something like this? Thanks in advance for your help!

 

[North323]

can you post one of your scrubbed configs?

 

[jondoe0069]

I am trying to create the tunnel between 10.133.2.0/24 on the PIX's inside int and 10.129.5.0/24 on the ASA's inside int. Thanks for any help!

PIX 515E Config:

PIX 515E(config)# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
enable password **** encrypted
passwd **** encrypted
hostname PIX 515E
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list HQ-VPN permit ip 10.133.2.0 255.255.255.0 10.129.5.0 255.255.255.0
access-list NONAT permit ip 10.133.2.0 255.255.255.0 10.129.5.0 255.255.255.0
pager lines 24
logging on
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside pppoe
ip address inside 10.133.2.254 255.255.255.0
no ip address intf2
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5
pdm location *.*.*.* 255.255.255.255 outside
pdm location 10.129.5.0 255.255.255.0 outside
pdm location *.*.*.* 255.255.255.255 inside
pdm history enable
arp timeout 14400
nat (inside) 0 access-list NONAT
route outside 10.129.5.0 255.255.255.0 (ASA 5510 Outside IP) 1
route inside (ASA 5510 Outside IP) 255.255.255.255 (ISP end of the PPPOE connection) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http *.*.*.* 255.255.255.255 outside
http 10.133.2.0 255.255.255.0 inside
tftp-server inside 10.133.2.100 pdm-304.bin
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set HQ-VPN esp-3des esp-sha-hmac
crypto map HQ-VPN 1 ipsec-isakmp
crypto map HQ-VPN 1 match address HQ-VPN
crypto map HQ-VPN 1 set peer (ASA 5510 Outside IP)
crypto map HQ-VPN 1 set transform-set HQ-VPN
crypto map HQ-VPN 1 set security-association lifetime seconds 8000 kilobytes 4608000
crypto map HQ-VPN interface outside
isakmp enable outside
isakmp key ******** address (ASA 5510 Outside IP) netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group ATT_DSL request dialout pppoe
vpdn group ATT_DSL localname ***
vpdn group ATT_DSL ppp authentication pap
vpdn username *** password ********* store-local
terminal width 80
: end


ASA 5510 Config:


ASA 5510# show run
: Saved
:
ASA Version 8.0(4)
!
hostname ASA 5510
enable password **** encrypted
passwd **** encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address pppoe setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.129.5.4 255.255.255.0
!
interface Ethernet0/2
nameif TestLab
security-level 50
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.254 255.255.255.0
management-only
!
ftp mode passive
access-list TestLab extended permit ip any host *.*.*.*
access-list OR-VPN extended permit ip 10.129.5.0 255.255.255.0 10.133.2.0 255.255.255.0
access-list NONAT extended permit ip 10.129.5.0 255.255.255.0 10.133.2.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.129.5.0 255.255.255.0 10.133.2.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu management 1500
mtu inside 1500
mtu TestLab 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-615.bin
asdm history enable
arp timeout 14400
global (outside) 1 *.*.*.*
nat (inside) 0 access-list NONAT
nat (TestLab) 1 192.168.1.0 255.255.255.0
static (TestLab,outside) *.*.*.* 192.168.1.64 netmask 255.255.255.255 dns
access-group TestLab in interface outside
route outside 10.133.2.0 255.255.255.0 (PIX 515E Outside IP Address) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http *.*.*.* 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set OR-VPN esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set OR-VPN
crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000
crypto map OR-VPN 1 ipsec-isakmp dynamic dyn1
crypto map OR-VPN 2 match address outside_2_cryptomap
crypto map OR-VPN 2 set peer (PIX 515E Outside IP Address)
crypto map OR-VPN 2 set transform-set ESP-3DES-SHA
crypto map OR-VPN 2 set security-association lifetime seconds 28800
crypto map OR-VPN 2 set security-association lifetime kilobytes 4608000
crypto map OR-VPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group ATT_DSL request dialout pppoe
vpdn group ATT_DSL localname ***
vpdn group ATT_DSL ppp authentication pap
vpdn username *** password ********* store-local
dhcpd dns *.*.*.* *.*.*.*
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-det(PIX 515E Outside IP Address) type ipsec-l2l
tunnel-group (PIX 515E Outside IP Address) ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
: end

 

[North323]

are you trying to build a tunnel over the lan? I do not see any of your outside interfaces assigned to a public IP. It has to traverse the interenet right?

 

[unclerico]

jondoe, can you even get out to the Internet from either device on hosts inside?? I don't see a global (outside) 1 interface command or a proper default route on either device. I don't know your network setup, but these route statements on the PIX don't make sense to me:

route outside 10.129.5.0 255.255.255.0 (ASA 5510 Outside IP) 1
route inside (ASA 5510 Outside IP) 255.255.255.255 (ISP end of the PPPOE connection) 1

You should only need a single default route outside and no routes inside unless you have other subnets behind your PIX. The same goes for the route statement on your ASA, it should be a single route to your next hop which would typically be your border router, but in this case since you're doing PPPoE, it would be to your ISP.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jondoe0069]

North,

It has a public address on the outside. It is static and stays the same, but it is obtained from the PPPOE connection, so it is not manually assigned in the config. I can ping from one firewall to the other and vice versa (outside to outside) over the internet.

Unclerico,

I'm an amateur, so I am kind of learning as I go. I deleted the inside route statement in question. I guess I just put that there to see if it helped.

The following line was put there because the Site to Site VPN instructions I was following said to put it there to direct traffic destined for the LAN on the other side of the VPN tunnel to the outside interface address of the other firewall:

route outside 10.129.5.0 255.255.255.0 (ASA 5510 Outside IP) 1

 

[jondoe0069]

Oh, sorry- Also, I don't have a global. I didn't think I needed one since I'm only trying to traverse the tunnel. Is that still necessary? Wouldn't it just encapsulate the traffic in the tunnel since it's LAN to LAN?

 

[jondoe0069]

And I just added a default route on the outside interface to hit the next hop of the PPPOE connection at the ISP.

 

[jondoe0069]

The tunnel is now up. I was missing the following on the ASA:

crypto isakmp identity address

and

sysopt connection permit-vpn

I still can't ping from one remote LAN to the other though. Do I need to create ACL's on the inside interfaces to allow the traffic from one LAN to the other? I know the outside lets the VPN traffic through without checking it.

Thanks!

 

[unclerico]

crypto isakmp identity address

and

sysopt connection permit-vpn

the isakmp identity address statement was in your ASA config. you shouldn't need to add the permit-vpn statement it is enabled by default as of 7.0 code. Are you sure you didn't change anything else??

I still can't ping from one remote LAN to the other though.  Do I need to create ACL's on the inside interfaces to allow the traffic from one LAN to the other?

Yes, you should have all interesting traffic defined in your crypto map acl as well as in your nonat acl.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jondoe0069]

That is all I changed. The Cisco VPN support person told me to make those changes.

I do have all interesting traffic defined as far as I can tell. I also have my NAT 0 statements in there.

 

[jondoe0069]

Here are the errors I receive on the ASA when I try to ping its inside interface from the inside of the PIX:

3 Feb 19 2009 16:07:21 713042 IKE Initiator unable to find policy: Intf outside, Src: 10.129.5.4, Dst: 10.133.2.254



3 Feb 19 2009 16:07:21 313001 10.133.2.254 Denied ICMP type=8, code=0 from 10.133.2.254 on interface outside

10.129.5.4 is the inside of the ASA and 10.133.2.254 is the inside of the pix.

 

[jondoe0069]

It all works now. I deleted all of the dynamic crypto map stuff. I don't know why I had that in there. Looking in my ASDM, I saw that I somehow had created both a dynamic and a static crypto map on the ASA. The dynamic was priority 1 and it wasn't fully configured. I must have entered some commands incorrectly. That's gone now and everything works from both sides!!

Thanks for all your help!